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‘Topic: ICO secondment programme 


Issue: A proposal for a proactive and continuous programme of inbound 
secondments to the ICO to supplement our established workforce. 


Background: 

Secondments can be beneficial to the ICO. Sending our staff out on 
secondment can be a way of both the individual and our organisation 
developing new skills and benefiting from outside experience and 
expertise. Similarly, inviting organisations to second staff to work at the 
ICO has the potential to: 

e Supplement our workforce at a time when increasing our capacity 
and capability is a priority. 

e Help us maintain our relevance by inviting our stakeholders to 
second staff to us for a period of time, providing us with greater 
insight into the work of those we regulate or work alongside. 

e Improve information rights compliance as those seconded to us 
return to their regular employers with increased insight into the 
work of the regulator and the standards expected. 


So far secondments have been occasional things which see us taking 
advantage of opportunities as they arise. This proposal suggests that we 
express an external and continuous interest in seconding people to work 
for us and develop a programme to ensure we maximise the benefit of 
any such arrangements. 


Discussion: 

One of the key issues to consider is that of potential conflicts of interest. 
Clearly having a secondee from a given sector working in an area which 
directly regulates that sector could be problematic. However, given the 
breadth of our work and the size of the organisation it ought to be 
possible to maintain the necessary segregation of duties needed for the 
programme to succeed. 


We would need to ensure that any secondment was sufficient in length to 
be of clear benefit to us. Whilst the duration of any given secondment 
may vary, based on the individual circumstances, we would expect them 
to be of a minimum of three months in cases where the secondee could 
be immediately productive, but more likely to be of at least 12 months in 
length where any significant training would be required. 


In terms of cost, we should ensure that the organisations seconding 
people to us derive a clear benefit from doing so. If we are offering a 
genuine insight into the work of the regulator then these secondment 
opportunities should be attractive to a great many stakeholders. Whilst 
we can typically expect to make a contribution to the salary of a secondee 
we would not expect this to exceed the cost of the equivalent | CO 
member of staff for the same period unless in exceptional circumstances. 
In some cases we may be able to secure secondments at minimal cost to 
us. The cost of secondments would be covered by the salaries budget with 
this spend governed in the same way as all other recruitment activities. 


We must also recognise that in some cases there may be an expectation 
of a reciprocal arrangement, with us seconding someone to work with 
another organisation. We should of course review any such proposals on a 
case by case basis. However, it is important for the SLT to provide a steer 
as to our appetite to see staff seconded away from the ICO at any given 
time. This will require us to look at the medium and long term benefits as 
a means of off setting the obvious short term cost of relinquishing our 
staff to work elsewhere for a given period. 


It is also important that we recognise the sensitivity amongst our 
established workforce to our use of secondments. Secondments can 
create the impression that we lack confidence in the capability of our own 
workforce to ‘step up’ to fulfil the roles being offered on secondment. 
Whilst we should be sensitive to this, there is a place for secondments in 
addition to promotion or temporary promotion opportunities. Given the 
rate at which we are currently expanding there is no need for any 
secondment offered externally to be at the expense of an internal 
promotion opportunity. We should however commit to only agree to 
secondments where they enable the ICO to access otherwise unavailable 
insight or capability, or where they help us to develop our own capability 
more rapidly or easily. 


Given our ever developing international remit and workload we should 
also consider the potential benefit of international secondments, offering 
the opportunity for colleagues from other Supervisory Authorities to be 
seconded to work at the ICO. This will require us to consider applying to 
become a sponsoring department for the purposes of visa applications, 
but this feels appropriate given our international aspirations. 


Each department head would be responsible for identifying opportunities 
within their department for secondments to add value, but they would be 
expected to do this in line with the appetite for secondments as indicated 
by the SLT. 


The OD Department would develop a standard secondment policy and 
agreement to streamline the advertising and support of secondments and 
to ensure transparency across the programme. 


We should also consider hosting a dedicated page on the website to 
promote and explain the programme. The NCSC have the following web 


page (see annex or link to https: //www.ncsc.gov.uk/information/industry- 
100). 


Something similar may therefore be suitable for us. 


Options and recommendations: 
We of course have the option not to pursue secondments as an element 
of our recruitment strategy. 


However, we recommend that we do establish a programme. It is widely 
accepted at the ICO that the expertise of our staff is in high demand by 
organisations seeking to prepare for and comply with GDPR. This same 
demand would, we believe, mean that organisations would be keen to 
second staff to the ICO as a way of deriving insight and expertise from 
the regulator. 


We also know that our guidance is widely used by our fellow Supervisory 
Authorities around the world. It therefore seems likely that being able to 
second staff to us to assist with the development of that guidance would 
be a very attractive proposition for those in a position to do so, with the 
added bonus of perhaps assisting with our aim of increasing our influence 
on the worldwide stage. 


It is also recommended that we prioritise secondments which directly 
support our strategic goal to be a tech-savvy regulator. Schemes like that 
available from the NCSC present a clear opportunity for us to bring in 
additional short term cyber expertise and experience whilst also investing 


in the medium and long term development of some of our own staff in 
this area. 


Next steps: 

Views of all department heads were recently sought via the DCEO 
Steering Group with overwhelming support confirmed. If agreed we would 
need to prioritise the work involved as part of our wider OD programme of 
projects, but with the support and active participation of departments 
across the organisation there is no reason why this programme, at least 

in a pilot form, could not be up and running relatively quickly. 


Consultees: 


Simon Entwisle, Steve Wood, James Dipple-Johnstone, DCEO Steering Group. 


Annex 


Join the Industry 100 


One of the key objectives of the National Cyber Security Centre (NCSC) is to reduce risks to 
the UK by working with public and private sector organisations to improve their cyber 
security. As part of Industry 100, we are inviting organisations of all sizes to work with us by 
embedding staff into the NCSC so we can achieve a greater understanding of the cyber 
security environment using wide and diverse thinking. 


By working together in a number of roles throughout the organisation, we want to develop a 
clear understanding of the cyber threat to the UK and share information that can have an 
impact across the community. That means analysts, network defenders, academics and 
engagement partners working side by side, on the issues that matter. Whether that's writing 
guidance for dealing with ransomware attacks, or improving the way that company boards 
look at investment in cyber security - by working together, we are bringing industry and 
government expertise together in a way that helps us all learn lessons, identify systematic 
vulnerabilities and reduce the future impact of cyber attacks. 


How it works 


Teams from across the NCSC will post advertisements here (online) when we identify roles 
where we want to bring in industry expertise and ensure we're collaborating on important 
matters so we can improve our products and services. Whether you're a small or medium- 
sized enterprise or a multinational operating in the UK, we are seeking the very best from a 
wide variety of skills and sectors. 


As an organisation, you can apply to embed a person(s) as an integree and we will assess the 
suitability of the person on a case by case basis with a formal interview, and sometimes with 
additional testing. The requirement of the terms will vary across teams and all entrants are 

subject to a screening process and contract between the NCSC and embedding organisation. 


More posts are coming soon so watch this space! 

Note: This scheme is for organisations to apply and embed personnel. We will not accept 
applications for full time employment with the NCSC. Employment opportunities with the 
NCSC can be found on the Civil Service Jobs website. While we will endeavour to reply to 
each enquiry, we cannot guarantee this. 


Contact and applications 


All applications should be submitted within the conditions of the individual advert. 
Applications and general enquiries can be submitted to integrees@ncsc.gov.uk. 


You can access adverts from the 'downloads' tab. 


Please be aware that while the NCSC will respond to each application, this may take up 30 
days. 


Annex 


